<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Consider anonymous external attackers, as well as users with their own accounts, who may attempt to steal accounts from others. Also consider insiders wanting to disguise their actions.

+

<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Consider anonymous external attackers, as well as users with their own accounts, who may attempt to steal accounts from others. Also consider insiders wanting to disguise their actions.

<td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Developers frequently build custom authentication and session management schemes, but building these correctly is hard. As a result, these custom schemes frequently have flaws in areas such as logout, password management, timeouts, remember me, secret question, account update, etc. Finding such flaws can sometimes be difficult, as each implementation is unique.

+

<td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Developers frequently build custom authentication and session management schemes, but building these correctly is hard. As a result, these custom schemes frequently have flaws in areas such as logout, password management, timeouts, remember me, secret question, account update, etc. Finding such flaws can sometimes be difficult, as each implementation is unique.

</td>

</td>

−

<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Such flaws may allow some or even <u>all</u> accounts to be attacked. Once successful, the attacker can do anything the victim could do. Privileged accounts are frequently targeted.

+

<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Such flaws may allow some or even <u>all</u> accounts to be attacked. Once successful, the attacker can do anything the victim could do. Privileged accounts are frequently targeted.

</td>

</td>

−

<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Consider the business value of the affected data or application functions.

+

<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Consider the business value of the affected data or application functions.

Also consider the business impact of public exposure of the vulnerability.

Also consider the business impact of public exposure of the vulnerability.

Developers frequently build custom authentication and session management schemes, but building these correctly is hard. As a result, these custom schemes frequently have flaws in areas such as logout, password management, timeouts, remember me, secret question, account update, etc. Finding such flaws can sometimes be difficult, as each implementation is unique.

Such flaws may allow some or even all accounts to be attacked. Once successful, the attacker can do anything the victim could do. Privileged accounts are frequently targeted.

Consider the business value of the affected data or application functions.

Also consider the business impact of public exposure of the vulnerability.

Am I Vulnerable To 'Broken Authentication and Session Management'?

The primary assets to protect are credentials and session IDs.

Are credentials always protected when stored using hashing or encryption? See A6.